Risk

A change analyst performs Risk Analysis to identify and assess factors that may jeopardize an existing
service/system during and after implementation by identifying countermeasures to successfully deal with constraints if
developed and avert possible negative effects on the existing services.

A risk is an event that “may” occur. The probability of it occurring can range from just above 0% to just below 100%
by its very nature; a risk has a negative impact. However, the size of the impact varies in terms of cost and impact on
the CTC brand or some other critical factor. The table below provides a Risk Assessment considering an Impact V/s
its Probability of Occurrence.

Probabilit Impact
Mediu
y Low High Major Severe
m
Almost
Medium High High Emergency Emergency
Certain
Most Likely Medium Medium Medium High Emergency
Possible Low Medium Medium High Emergency
Unlikely Low Medium Medium Medium High
Rare Low Low Medium Medium High

Impact
Impact is a measure of business criticality during and after implementing a change. Impact is generally
differentiated by the scope and the overall effect on the business. Impact can be determined in
consultation with the SME’s and reviewing the formalized Service Level Agreements. Typically the extent
of services, systems and/or the number of users that could be affected defines the scope of an Impact.

The following matrix provides an idea on how to categorize and impact.

Code Definition

Severe • Business critical system and/or service would are affected

• Extensive revenue impact across the customer base.
• Regulatory/Strategic non planned impact which cannot be
deferred till next change schedule.
High • Business critical systems and/or services are severely degraded or
partial loss of mission critical features / functionality.
• Impacting upon a large number of users (non critical services).
• Revenue impact that cannot be deferred but absorbed for a
limited period.
• To be given highest priority for change building, testing, and
implementation resources.
Medium • A change is justified and necessary, but can wait until the next
scheduled release or upgrade.
• No Financial impact.
• Minimal impact to business systems and services.
Low • A change is justified and necessary, but can wait until the next
scheduled release or upgrade.
It is recommended that all High, Medium and Low categorized Impact result from PLANNED activities. Unplanned
requests should be accepted subjected to approval by Senior Management with appropriate justification.

Priority
Change Priority levels can be defined using a variety of variables. As part of the Change Management
process, being able to establish a change priority is part of the change evaluation.

Change Priority levels are typically set at levels such as High, Medium, Low and Urgent or Emergency.
These levels are determined by understanding the combined impact and urgency of the change being
considered. The impact of a change describes the degree of 'disturbance' that a change may have on the
infrastructure or what impact on the business not performing the change may have on the organization.

The urgency of a change is a way of expressing the level of resources that should be applied to the
change being considered. Resources can be in the form of people, infrastructure, costs, etc.
The following chart provides a graphical representation of Priority based on comparing Impact and Urgency.
Urgent

Priority = High Priority = Emergency

CAB approval required E/CAB Approval required
High
URGENCY
Medium

Priority = Low Priority = Medium

Since impact is “Low/Medium” Change
CAB approval required, since impact is
can be approved by CM. (These can
High
comprise of standard change as well)
Low

Low Medium High Major

IMPACT

Code Definition

Emergency • Users require expedited restoration of service as soon as possible.

 • Resolving an issue causing high revenue impact.
• Providing solution to a high delegated user.
• Implement a non-planned solution for highly regulatory/strategic
service/system.(needs additional approval)
• Generally users are unable to work and no work around is
available. Resources may need to be immediately allocated to deploy such
authorized changes.
Urgent • When action is required before the weekly board meeting.
• Need to respond in a timely manner to resolve issues since lack of
change will result in degradation of services or poor data integrity.
• Unplanned but tested change of high business importance.
High • Users require expedited restoration of service, but can bear
 Code Definition

minimal delays.
• Issue causing financial impact across a limited range.
• Having high level dependencies.
Medium • No severe impact identified, but rectification of an incident cannot
be deferred until the next scheduled upgrade.
• Revenue impact that cannot be deferred but absorbed for a
limited period.
Low • Customers may be inconvenienced but a delay in resolution is
considered acceptable
Note  :-
 In case of an emergency the submitted change shall immediately follow the specified fast-track for
authorization by the EC/CAB. If the change fails to recover and requires additional changes to restore service, the
implementer should inform relevant managers for approval.
 Urgency can be determined as the time within which resolution is required or an extent to which the
business or user can bear delay in reaching a resolution. VIP status may also influence the Urgency status. Potential
financial Impact of a service downtime on the business may also influence the Urgency. If a service is simply
degraded or there is an alternate solution, the degree of Urgency will generally be less than for a service that is
completely unavailable with no known workaround or solution. For urgent changes the requestor must procure
approval from their SVP or VP in order to schedule the change, the change should fall within a normal maintenance
window if possible.